The EU AI Act: Update on the application timeline and implications for Swiss companies

Looking back: Limited core provisions already in effect

Until now, only a limited set of provisions of the AI Act have been applicable. Certain core provisions on prohibited AI practices entered into force in February 2025. These prohibitions include manipulative or deceptive techniques as well as the use of “real-time” remote biometric identification systems in public spaces, except in narrowly defined situations such as criminal investigations related to terrorism or missing persons.

August 2025: Majority of the AI Act takes effect

On 2 August 2025, a significant number of provisions of the AI Act entered into force, including the requirements for general-purpose AI ("GPAI"), the governance framework and the penalties. Some of the provisions that entered into force this week include:

• Framework for the Conformity Assessment: Under the AI Act, certain high-risk AI systems require a conformity assessment by a competent body (“notified body”). The EU member states have to define one or several authorities responsible for the regulation and oversight of the notified bodies (which will be privately organized),. Importantly, the actual requirement to perform conformity assessments will only enter into force in 2026 as part of the provisions on high-risk AI.
• General-Purpose AI: Providers of GPAI models will face a range of obligations under the AI Act, particularly in the areas of technical documentation and transparency. This includes, among others, transparency on copyrighted data used for training and a requirement to design the GPAI to prevent the generation of illegal content. Providers of GPAI that pose systemic risk (which is defined based on quantitative thresholds) are subject to enhanced obligations, including on more detailed documentation, regular reporting and additional transparency requirements.
  The definition of GPAI in essence covers large language models that have a wide area of application. “Provider” is defined as the entity developing such models or putting them on the market. Hence, the scope of these requirements is limited to a specific set of AI providers. 
  Notably, foreign providers of GPAI models in the EU market must appoint an EU-based authorized representative as of 2 August 2025.
• Governance: The formal governance framework for the oversight and supervision of the AI Act will bring two new bodies on the EU level:
  • The AI Office, located within the European Commission and tasked with ensuring the uniform application of the AI Act among member states and the monitoring of GPAI;
  • the AI Board, composed of one representative from each member state and tasked with coordination and advisory functions.

  
  At the national level, each member state is required to designate the national competent authorities to implement and enforce the AI Act, including the supervision of the notified bodies (see above) and monitoring compliance of AI systems that have been placed on the market.

• Penalties: As of 2 August 2025, certain violations of the AI Act (to the extent in force) will be subject to monetary penalties which may, depending on the specific provision violated and the size of the company, amount up to the higher of EUR 35 million or 7% of the company's worldwide annual turnover. Penalties will be enforced by the national competent authorities in accordance with national law implementing the AI Act.

2026 – What is yet to come

Most of the remaining provisions of the AI Act, in particular the requirements for high-risk AI systems, will enter into force on 2 August 2026. As of that date, high-risk AI systems will have to comply with detailed provision on, among others, technical documentation, data governance, human oversight, cyber security and, in certain cases, conformity assessments.

The final provisions of the AI Act will enter into force on 2 August 2027. Those rules will significantly expand the regulatory scope of high risk AI systems and thus also the scope of the respective obligations. Certain grandfathering rules, in particular for legacy GPAI models, will also expire on this date.

The AI Act also applies to companies outside of the EU – including in Switzerland

The AI Act extends its jurisdiction beyond the EU borders and may directly apply to Swiss companies. This extraterritorial application is triggered in two main scenarios:

• Providers that place AI systems or GPAI models on the EU market, regardless of whether the provider is established within the EU or in a third country; or
• Where an AI system or its output is used within the EU, even if the provider or operator is based outside the EU.

The concept of “placing on the market” includes any situation where an AI system or GPAI model is made commercially available to EU users. This may include offers on websites, platforms, or services directed at the EU – signaled, for instance, by the use of EU currencies, local delivery options, or targeted advertising. A physical presence in the EU is not required; what matters is market accessibility and targeting.

Similarly, the AI Act applies where the output of an AI system is used within the EU, even if the system operates entirely outside the EU (e.g., hosted on servers in Switzerland). In such cases, Swiss providers may be subject to the AI Act.

Planning ahead

As the AI Act applies in essence to GPAI models only (as of today), providers of these models also outside the EU may become subject to the AI Act. Once the full set of rules on high-risk AI models come into force next year, the number of companies outside the EU subject to the AI Act will expand considerably. Hence, companies that could be considered providers of AI models into the EU market or operators of AI models used in the EU market should plan ahead and proactively analyse whether and how they fall under the AI Act.

Please do not hesitate to contact us in case of any questions.

Legal Note: The information contained in this Smart Insight newsletter is of general nature and does not constitute legal advice.